The Dynamic World of Bug Bounty Hunting Through My Personal Journey by Chan Nyein Wai

Hello, everyone. My current position is based in Thailand. About half of the members of my company's staff are working from Thailand and have experience in this field. For the same experience in hybrid, as we have a common office in Yangon and sometimes working from both places. Wait a minute. I need to fix my shared screen. Let me try sharing it again. Can you see it? Okay. Hello, today I'll be talking about Bug Bounty based on my personal experience. My name is Chan Nyein Wai, known by the handle bytehx in bug bounties. This is my portfolio. Currently, I'm working as a Senior Pentester at Central Group in Thailand. That's all for my intro. In today's agenda, we first cover the basics of Bug Bounty and how I transitioned from pentesting. I'll showcase types of vulnerabilities I found and the methodology and common toolsets that I have used. I'll share some success stories and notable case studies, concluding with my experience at the recent LHE event organized by YesWeHack.

To introduce my cybersecurity background, I started working as a pentester about three or four years ago in a local company. After a few months, I was promoted to Senior and joint with Sygnack Red Team. That's how I got interested and participated in Bug Bounty. Initially, I wasn't really committed to Bug Bounty since it's commonly thought about as a short-term income and inconsistent. However, once I started working as a pentester and finished my OSCP certification, I faced some challenges during my initial transition to hunting. There were few resources available as now, and few local hunters as well. To get into Bug Bounty and if you already have some experience in pentesting and web applications, you can learn more if you read some Write-ups from pentester.land and hackerone hachtivity. Some notable YouTube channels that provide learning materials are Nahamsec, Stok, and Critical Thinking Podcasts.

Other learning resources for beginners could be Hack The Box's Bug Bounty Hunter path, Pentesterlab, HackinHub, and TryHackMe is one of the most basic platforms to learn. These are some of the security vulnerability types that I found and I am listing the ones that I can recall. These range from common vulnerabilities discovered using manual analysis to those found by automated tooling. Discussing my learning curves. I remember struggling for about eight months in Synack before finding my first bug. It happened during my initial learning with the Synack culture and understanding the platform. It was difficult starting out because Synack's environment provides VPN testing, and sometimes I would connect though a slow, 1 Mbps Wi-Fi which made the testing really slow and frustrating. Despite these initial failures, my persistence became a major key in finding more security bugs.

During my learning path, I focused on some strategies. I read many write-ups and tried to stay consistent during some gaps. Instead of focusing only on recon, I transitioned focus more to main applications. I ranked in top 100 within Synack after a year of consistent hunting. After moving to Thailand and starting my Senior Pentester position, I had more workload and more responsibilities, preventing from focusing more in bug bounty for a while. Then the Synack platform experienced low activity following the Silicon Valley Bank crisis, giving few opportunities because some of these companies and clients dropped budget in bug bounties. This forced some changes in the platform, introducing price differences based on vulnerabilities found. Later on, I became curious about automation and spoke with a hunter on X platform that made around $15,000 using automated discovery. This was an inspiration to start my own automation tools and refine my process.

I moved testing some public and private programs at YesWeHack and after three or four months, I successfully found my first bugs using my local automation tools, increasing my bounty income. That's why I currently focus on many top bug bounty platforms such as HackerOne, Intigriti, and Synack. Common bug bounty methodologies that you can use are manual hunting, automation, doing some security research, and gadget-base hunting. Using research means looking for a bug in a known product and scanning it at scale across multiple assets. Gadget-base hunting is when you found some low impact bugs like Open Redirect or XSS and store these techniques to find higher impact later as a chain. Automation can be many things, but standard automation is not only running common community scripts; it is more about building your own tools and refining your custom approach. Manual hunting means getting to understand the main application correctly.

I will expand more about developing your custom methodology. As I mentioned, you need persistence and focus to understand the main web application to find deep logical bugs or high impact issues. One important tip is that technologies and platforms evolve quickly, so your methodology should change too since older techniques like subdomain takeovers are less common. Learn from successful hunters such as Rhynorater and other skilled bug bounty professionals which will help you improve your strategies. My current methodology includes many custom databases and automated finders that can automatically find common vulnerabilities across entire scopes. Doing manual code reviews of JS files and looking for CVES can become part of manual hunting. Sometimes I focus on more high impact bugs like IDOR, Access Control, and XEE depending on the scope.

One of my strategies is focusing deep across main applications instead of just looking wide across wildcard assets. Persistence and deep manual testing will always give better results. I built my own custom search framework, and although it's always under development, it helps me store URLs and crawl interesting endpoints to find security bugs. I used Golang to rewrite some subdomain scanners and I keep refining my automation to improve the quality of my findings. My automation can find various bugs like SQLi, XSS, and SSRF. I am also currently experimenting with some AI models to improve finding high impact bugs like Access Control and IDORs. Now, let's explore some case studies of bugs that I have found. Case 1 is a Reflected XSS through my custom monitoring. After monitoring for a few months, I eventually found this simple bug by fuzzing some parameters and received a reward of about $1,000 to $2,000.

Case 2 is a Personal Identifiable Information (PII) Leak via an API endpoint. This private program rewarded me between $7,000 and $10,000 for this discovery. I found it when registering for a normal user account and extracting a JWT token. Fuzzing API endpoints revealed that sensitive data like email addresses and password hashes were exposed. Case 3 found through monitoring is Default Credentials. I monitored the scope for three months and found a new subdomain. Using default 'admin' credentials, I got access to a database monitoring portal that could execute some SQL queries. The reward for this was between $500 and $1,000. Case 4 is a simple SQL injection found by manual testing. Testing registration and common input parameters did not work, but I found that selecting some shipping methods could trigger this SQLi. The reward for this was around $2,000 to $3,000.

Case 5 found using custom subdomain monitoring was Discovering Untouched Assets. Running nucleus scanner for some private program, I found a public S3 bucket where you can create new files and can result in stored XSS. This was a high impact bug and rewarded me between $3,000 and $5,000. Case 6 is a Reverse Proxy Bypass on a Spring Boot Actuator. I used manual discovery and found a path bypass technique that could reveal some heap dump files. This file contains snapshots of some sensitive user data. Since this happened in non-production assets, the reward was smaller, between $700 and $1,000. Last Case study was Escalating SSRF. Manual analysis on PDF generation resulted in finding SSRF in a Windows machine. To improve impact, I used the responder tool to leak NTLM hashes. This was considered critical and rewarded about $3,000 to $5,000.

About collaboration with other hunters. Shared information can result in some trust issues and negative experiences, but it's important to increase common knowledge. My principle is usually going for a 50/50 reward split when collaborating. To avoid problems, we should not share recon databases with many people. For example, I found a Prototype Pollution bug and spoke with a hunter to escalate it to XSS. This worked out and we found a Stored XSS that gave us a high impact reward. Transparency is another important key for collaboration. Finally, describing my experience at LHE in Rome. It was an event organized by YesWeHack. Some groups participated based on their country. I focused more on automation and I found my first bug within thirty minutes of activity. I eventually ranked in Top 8.

If you have more questions, feel free to contact me through my social media platforms. Thank you all for having me and inviting me to speak at BSides. Thanks. We already spent around 8 minutes of my time. Oh, sorry about that. It's okay. You can answer some questions from our attendees and I will open your mic now.

The first question asks about your current income and total bounty earnings to serve as inspiration for juniors. Alright, for my current income, total earnings from bug bounty is nearing $60,000. Another question asks what coding languages should be used for automation and monitoring. I prefer Golang, but many hunters also use Python and Rust. Most of my automation is built around my daily needs and focusing on finding common vulnerabilities like XSS. Next question asks for tips for beginners to find authentication and business logic errors. I suggest beginners to first focus on deep manual analysis of the main applications before starting with automation. One person asks about your hardest bug discovery. I think it is the SSTI case I found on an application with Java expansion language. I had to read through lots of documentation to escalate its impact, as we found it difficult to get RCE. Eventually, I was able to leak credentials from memory.

The final question is about the level of required development experience to start in bug bounty. You don't necessarily need coding or development background to find bugs like Access Control or IDORs. It's perfectly fine to start and succeed even without a high technical background. Alright. We are out of time now, so thank you again. We'll proceed with our next session.